Is The Zopa Login Secure?
The Zopa login page, as well as Zopa's cyber security in general, needs to be strong to deter hackers keen to try and take a piece of the billion pounds being lent through this peer-to-peer lending site.
As WordFence says, the “secure” symbol in your browser next to the URL does not automatically mean “safe”. So how secure and safe is the Zopa login and other aspects of its website?
Standard tests of Zopa's cybersecurity
The website is B-rated by Qualys‘ SSL Labs for its server strength.
Its rating is capped at B because of its cipher suite, which is a a set of programming rules to secure Zopa's servers. According to Qualys, Zopa* does not appear to support the only cipher suite to have no known possible weaknesses – the AEAD suite.
But that doesn't mean that a weakness exists or that any weakness would have a big impact on lenders. Zopa could be taking other steps to mitigate or eliminate those weaknesses.
Sucuri* rates the risk of malware to be low. Malware is like a virus that might attempt to disrupt the Zopa website or get inside it.
Zopa's website security certificate is valid, trusted, and the security key is not weak. The security key is expected to verify that information has not been tampered with. The security certificate validates the authenticity of a website as well as being a tool to encrypt information going from Zopa to your browser and back again.
The website is not vulnerable to the Heartbleed and Ticketbleed threats, which would allow people to easily steal information from Zopa.
ROBOT, BEAST and POODLE – which might sound more like nicknames given to combatants in Robot Wars but they are actually more security weaknesses – these are blessedly not exploitable on the Zopa site, as we would hope and expect.
There is no obviously poor encryption or and no clearly weak ciphers, such as RC4, which would result in a large number of different vulnerabilities.
According to Qualys, Zopa hasn't yet adopted TLS 1.3 (RFC 8446), but this has only been around for a few months so we should give them time. TLS 1.3 is the latest set of rules for encrypting the communication between your browser and Zopa's servers (Zopa's computers with your data on it). Most financial websites will still be using TLS 1.2, which is what Zopa is doing, provided you don't have an out-of-date browser.
Another standard test also detected no malware or server errors that could be exploited by malware.
The website is not blacklisted by any anti-spam groups, such as McAfee or Norton Safe Web.
While no firewall was detected at Zopa, standard tests often can't detect them properly and I think we can count on Zopa to have such a basic safety feature in place. Firewalls are in important defence against hackers.
What's the bottom line for these tests?
The above tests show that there are no obvious signs that Zopa's website is unsafe. If it had failed any of the above tests, it would have been of deep concern.
Is your Zopa login safe?
Your Zopa login is much more likely to be unsafe if you don't create a decent password and keep it safe. Unlike RateSetter it doesn't offer two-factor authentication (when you confirm your identity through your phone as well as through a password) and it doesn't appear to log you out automatically – at least not within 15 minutes.
The length of your password is the most important aspect by far. Indeed, the genius who came up with the idea of a shorter password with numbers, capital letters and special characters has recently, and sheepishly, apologised for wasting everyone's time and giving a false sense of security in shorter passwords.
A 16-character password, even one simply made up of a few memorable words strung together, like “donthackmeplease”, is extremely high security.
*Commission and impartial research: our service is free to you. We already show dozens of P2P lending companies in our accurate comparison tables and we keep adding more as soon as they provide us with enough details. We receive compensation from Zopa and other P2P lending companies not mentioned above when you click through from our website and open accounts with them. We vigorously ensure that this doesn't affect our editorial independence. Read How we earn money fairly with your help.
We also receive commission from Sucuri if a business clicks through and buys its cyber security services.